HackerTrans
TopNewTrendsCommentsPastAskShowJobs

fabriclayer

no profile record

Submissions

[untitled]

1 points·by fabriclayer·hace 4 meses·0 comments

comments

fabriclayer
·hace 5 meses·discuss
The npm comparison is right but I'd argue you're being generous. At least npm had years before the malicious package wave hit. MCP is getting it within months of going mainstream.

Thing is — your scanner catches the dumb mistakes (eval on untrusted input, hardcoded creds). Those devs are careless. The scarier category is servers with zero code vulns because they were written specifically to be malicious. Clean repo, good README, useful-sounding tool name. Passes every static check. Then on day 7 after it's in a thousand configs, the tool description quietly gets a new paragraph that the LLM reads as instructions.

You can't lint your way out of that. It's a trust problem not a code quality problem.

Does MCPShield do any post-install monitoring or is it purely a before you pull the trigger tool?